Dataprotection

Privacy policy 

Controller 

This Privacy Policy applies to the processing of personal data within the meaning of Art. 4 No. 1 of the General Data Protection Regulation (GDPR) by Golding Capital Partners GmbH, Einsteinstr 172, D-81677 Munich, Germany, e-mail: info@goldingcapital.com (the ‘Controller’). 

Data protection officer 

The controller has appointed Dr Volker Wodianka, Wodianka privacy legal GmbH, Dockenhudener Straße 12a, D-22587 Hamburg, email: kontakt@privacy-legal.de as data protection officer. 

What is personal data 

Personal data (hereinafter ‘data’) is information that can be used to identify personal or factual circumstances about the data subject (hereinafter ‘you’, ‘data subject’ or ‘customer(s)’). Data for which no personal reference can be established are not personal data within the meaning of Art. 4 No. 1 GDPR. 

Purposes for which personal data is processed 

The controller processes data from customers or other data subjects as part of the business relationship. In addition, the controller processes user data only insofar as this is necessary to provide a functional website and for content and services. Data is only processed properly with the user's consent or to fulfil (pre)contractual obligations if this is required by law and/or on the basis of a legitimate interest. 

Use of the website 

  • When you visit the controller's website, the following data is processed, which is automatically collected when you use the Internet and is technically necessary for the controller to be able to display the web pages to you: IP address, date and time of the request, time zone difference to Greenwich Mean Time, content of the request, access status, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. This is necessary to ensure the stability, security and smooth functioning of the services. 
    The required data is temporarily stored in the log files of the controller for a maximum of 7 days. Longer storage is possible, in which case the IP addresses are partially deleted or anonymised to prevent identification. The log files are not stored together with other personal data. The legal basis for this processing is Art. 6 para. 1 lit. f) GDPR. 
    The collection and storage of this data in the log files is crucial for the secure operation and IT security of the website. 

Use of the application form 

  • You have the option of applying online for published job vacancies or submitting a unsolicited application. In this case, data will only be collected if you provide the controller with data of your own accord as part of your application. In particular, this involves your basic data (name and, if applicable, date of birth), contact details (address, telephone number and email address), as well as data relating to your CV and cover letter. 
    The legal basis for this process is Art. 6 para. 1 lit. b) GDPR (implementation of pre-contractual measures). 
    Your personal information and data will be collected and stored with the utmost care and integrity and will only be used to process your application. The processing is necessary for the decision on the establishment of an employment relationship. If your application relates to locations abroad, the controller will also transfer your data to the relevant companies within the Golding Capital Partners Group. 
    If an application for a specific job advertisement is not successful, your data will be stored for evidence purposes for up to 6 months after completion of the application procedure for the possible assertion, exercise or defence of legal claims. 
    The provision of data is not required by law or contract. You are not obliged to provide the data. However, if you do not provide the data, it will not be possible to carry out an application procedure and, if applicable, recruitment. 

Use of the job alert 

  • You have the option of being informed about new job vacancies. To receive the job alert, it is sufficient to provide an e-mail address and search criteria for the location, career level and area of responsibility. In this respect, the data is processed on the basis of your voluntarily granted consent in accordance with Art. 6 para. 1 lit. a) GDPR. Your e-mail address will only be used for this service and will not be passed on to third parties. You can unsubscribe at any time via a link at the end of each e-mail. The controller will then delete your personal data immediately. 

Use of the investor portal 

  • You have the option of using the controller's reporting portal (the so-called ‘investor portal’) if you have been named as the contact person for an investor in an investment programme and your data has been provided as part of the subscription documents. This includes, in particular, your name and business address, telephone number, e-mail address and selection criteria for the desired correspondence. As part of the registration process, you will receive a user name and a temporary password from the person responsible. Your registration is not complete until you have logged in to the portal for the first time. 
    When you visit the controller's investor portal, further usage data, such as the date and time of your visit and the documents accessed, are stored in addition to the information automatically transmitted when you visit the website. 
    The processing of the data is necessary for the administration of the investment programmes in order to fulfil contractual and legal obligations. Due to statutory retention periods, the personal data is stored for at least five years after the end of the participation programme and then generally deleted. The legal basis for processing is Art. 6 para. 1 lit. b) and c) GDPR. 

Use of the due diligence portal 

  • You have the option of using the due diligence portal (the so-called ‘virtual data room’) of the controller if you have been named as a contact person for a (potential) investor in an investment programme and your data has been provided or you have provided it yourself. In particular, this concerns your name and your business e-mail address as well as the investment programme for which you wish to receive information. As part of the registration process, you will receive a user name and a temporary password. Your registration is not complete until you have logged in to the portal for the first time. 
    When you visit the virtual data room, further usage data, such as the date and time of your visit and the documents accessed, are stored in addition to the information automatically transmitted when you visit the website. 
    The processing of personal data is necessary for the administration of the participation programmes in order to fulfil (pre-)contractual and legal obligations. Due to statutory retention periods, the personal data is stored for at least 5 years after the end of the participation programme and then generally deleted. If the institutional investor for whom you have been named as the contact person does not invest in an investment programme, your personal data will also be deleted 6 years after the virtual data room for the respective investment programme has been closed due to statutory retention periods. The legal basis for processing is Art. 6 para. 1 lit. b) and c) GDPR. 
    The controller has commissioned an external service provider to provide the virtual data rooms for the participation programmes. The personal data is also processed by this service provider as part of the administration of the virtual data rooms in order to enable their use. When you visit the virtual data room, you will be redirected to the service provider's website. You can recognise this by the change of URL, among other things. The controller cannot assume any responsibility for the handling of your data on this external website, as the controller has no influence on whether the service provider complies with data protection regulations. Please refer directly to the service provider's website for information on the handling of your personal data. 

Use of the contact form 

  • The controller processes data such as name, address, telephone number or e-mail address when the contact form is used. No other personal data is collected unless you provide this information voluntarily, for example as part of a request for information. 
    The controller uses your personal data for statistical purposes and to carry out pseudonymised evaluations. Only if you have given the controller your prior consent will the controller also use this data for product-related surveys and advertising purposes, but only to the extent necessary for each specific case. The controller will only disclose data to public authorities if this is required by law. The controller's employees are obliged to maintain confidentiality. Personal data will be deleted after the purpose has ceased to exist, provided that there are no statutory retention obligations to the contrary. 

Use of the complaints function 

  • You can submit a complaint to the controller at any time. In this case, data will only be collected if you voluntarily provide it to the controller as part of your complaint. This includes, in particular, your name and address, telephone number, email address and any information that you provide voluntarily as part of the complaint. 
    The processing of personal data is necessary in the context of complaint management to fulfil legal obligations. 

Where does the controller transfer the personal data 

Within the company 

  • Within the company, only those departments have access to your data that need it to fulfil contractual and legal obligations. In addition, service providers and vicarious agents commissioned by the controller may have access to data as part of order processing relationships (in accordance with Art. 28 GDPR). These companies are particularly active in the areas of IT services, accounting and/or reporting. 

Within the group of companies 

  • The controller would like to make it clear in advance that personal data will not be exchanged with third parties or indiscriminately with Golding Group companies at any time. Within the Group, only those departments have access to your data that need it to fulfil contractual and legal obligations. In addition, service providers and vicarious agents commissioned by us may have access to data as part of order processing relationships (in accordance with Art. 28 GDPR). These companies are particularly active in the areas of IT services, accounting and/or reporting. 

External companies and service providers 

  • The controller uses external service providers to process your personal data. These service providers are particularly active in the areas of IT and Internet services (hosting, housing, Internet connection, etc.), telecommunications and e-mail services. The controller selects these service providers carefully, reviews them and contractually commits them. In doing so, the controller ensures that the service providers meet all technical, organisational and legal requirements within the meaning of the GDPR. 
    When selecting external service providers, particularly in the area of hosting and housing of servers and email services, the controller ensures that the service providers are based in Germany or at least within the EU. In this way, the controller avoids using service providers from so-called third countries in accordance with the GDPR (i.e. outside the EU). However, the controller cannot completely rule out the possibility that these service providers may occasionally use sub-service providers in third countries. In addition, the controller may use other service providers based in third countries; the same naturally also applies to sub-service providers that these service providers use. 
    Before using a service provider in a third country and thus transferring personal data to it, the controller checks the legal requirements and, if necessary, concludes additional contractual arrangements with these service providers in accordance with Articles 46 et seq. of the GDPR. These regulations also apply to the service provider's sub-service providers. 
    In general, a transfer is permitted if an adequate level of protection has been established for the third country in which the service provider is based in accordance with Article 45 of the GDPR. If there is no such decision by the Commission in accordance with Article 45 (3) of the GDPR for the country in question, suitable contractual guarantees between the controller and the service provider are required. 
    The Commission defines suitable safeguards as, for example, the use of standard data protection clauses (as of 4 June 2021; Article 46(2)(c) of the GDPR) or binding internal data protection rules in accordance with Article 47 of the GDPR. 

How long the controller stores personal data 

In principle, the controller will only store your data for as long as is appropriate and/or required by law. The appropriateness and necessity of storage depends on the services and/or transactions used (cf. section 4). Your data will also be deleted if the processing was based on your consent and you have withdrawn it.  

Cookies, tracking technologies 

Necessary cookies 

  • These are cookies that are necessary for the use of the controller's website and/or services. These cookies are categorised as ‘Necessary’. 

Analysis and performance cookies 

These are cookies that are used in conjunction with appropriate technologies to analyse and evaluate the usage behaviour of users on goldingcapital.com. These cookies are categorised as “Analysis and performance”, and the cookies are not set directly, but only with your express consent. 

Matomo 

With your consent, the controller uses the web analysis tool ‘Matomo’ to customise the design of the websites. Matomo creates user profiles on the basis of pseudonyms. For this purpose, permanent cookies are stored on your end device and read by the controller. In this way, the controller is able to recognise and count returning visitors. The controller also uses the Heatmap & Session Recording modules. Matomo's heatmap service shows the controller the areas of the website where the mouse is moved most frequently or which are clicked on most often. The session recording service records individual user sessions. The data controller can play back recorded sessions and thus analyse the use of the website. Data entered in forms is not recorded and is not visible at any time. 
Data processing is based on your consent in accordance with Section 25 (1) TDDDG, Art. 6 (1) (a) GDPR, provided that you have given your consent via the cookie banner. You can revoke your consent at any time. Please make the appropriate settings via the cookie banner. 

reCAPTCHA 

To ensure the security of your enquiries via the internet form, the controller uses the reCAPTCHA service of Google LLC. (Google) with your consent. The provider is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. This mechanism is used to check whether the input is made by a human or by automated, machine processes that could be abusive. During this check, your IP address and possibly other data required for Google's reCAPTCHA service will be transmitted to Google. This data is used by Google to provide the service. However, your IP address will be truncated in advance within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and also truncated there. Google will use this information on behalf of the operator of this website to analyse your use of the service. The IP address that your browser transmits as part of reCAPTCHA will not be merged with other Google data. The processing of this data is subject to Google's separate privacy policy. The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR, which you can revoke at any time. Further information on Google's privacy policy can be found at: https://policies.google.com/privacy?hl=de 
For the USA, the European Commission adopted its adequacy decision on 10 July 2023. Google LLC is certified under the Data Privacy Framework and an adequate level of data protection can therefore be assumed. 

Further information on Matomo's terms of use and data protection regulations can be found at: https://matomo.org/privacy/ 

Cloudflare 

With your consent, we use the service of Cloudflare, a so-called Content Delivery Network (CDN), on our website. The provider is Cloudflare Inc, 101 Townsend St, San Francisco, CA 94107, USA. The aim is, among other things, to speed up the loading time of the website and to protect it from DDoS attacks. The legal basis for processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time via the cookie banner. 

JsDelivr 

With your consent, this website uses the CDN (Content Delivery Network) of jsDelivr. The provider is ProspectOne, Krolewska 65A/1, 30-081, Krakow, Poland. As a result, content, especially large files, can be delivered quickly and optimally even at high load peaks. The legal basis for processing is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. You can withdraw your consent at any time. 

Rights of data subjects 

You have a right to information from the controller. To do so, please send an email to the controller at Info@golding.com, stating the following information about yourself: first and last name and, if applicable, your maiden name (if you have recently married), current postal address (including your old address if you have recently moved) and your email address. If your stored data is incorrect and/or incomplete, you have the right to have it corrected and/or completed. In accordance with Art. 17 GDPR, you have the right to request the erasure of your data by the controller. It is important to note that, depending on the service used (see section 4), different rights and obligations may exist with regard to the storage of your data. Without prejudice to the aforementioned rights, you also have the right to restrict processing (Art. 18 GDPR). According to Art. 20 GDPR, you have the right to data portability (Art. 20 GDPR). You also have the right to complain to the competent data protection supervisory authority about data processing by the controller. 

Right of objection and revocation of a given consent 

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, provided that the processing is carried out on the basis of legitimate interest (Art. 6 para. 1 lit. f) GDPR). If you exercise this right, the controller will cease processing the personal data concerned with effect for the future. However, if there are compelling legitimate grounds for the processing or the processing serves the assertion, exercise or defence of legal claims on the part of the controller, the request may be rejected.  

You can withdraw your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given before the GDPR came into force, i.e. before 25 May 2018. 

Updating the privacy policy 

We will amend this privacy policy from time to time if this is necessary due to changes in data processing. Please inform yourself regularly about the content of our privacy policy and also about the up-to-dateness of contact information from third parties. 

Status: June 2024